Overview of COBIT standards

15,911 views

Published on

Control Objectives for Information and Related Technology - Overview of standards

Published in: Education, Business, Technology
1 Comment
4 Likes
Statistics
Notes
No Downloads
Views
Total views
15,911
On SlideShare
0
From Embeds
0
Number of Embeds
42
Actions
Shares
0
Downloads
916
Comments
1
Likes
4
Embeds 0
No embeds

No notes for slide
  • Difference between 4 & 4.1:
    simplified descriptions of "Goals"
    cascading of processes and (bidirectional) relations between the "Business", the "IT Goals", and the "IT Processes"
  • PROCESSES NEED CONTROLS
    Control is defined as the policies, procedures, practices and organisational structures designed to provide reasonable assurance that business objectives will be achieved and undesired events will be prevented or detected and corrected.
  • DS1 Define and Manage Service Levels
    DS2 Manage Third-party Services
    DS3 Manage Performance and Capacity
    DS4 Ensure Continuous Service
    DS5 Ensure Systems Security
    DS6 Identify and Allocate Costs
    DS7 Educate and Train Users
    DS8 Manage Service Desk and Incidents
    DS9 Manage the Configuration
    DS10 Manage Problems
    DS11 Manage Data
    DS12 Manage the Physical Environment
    DS13 Manage Operations
  • DS1 Define and Manage Service Levels
    Effective communication between IT management and business customers regarding services required is enabled by a documented
    definition and agreement of IT services and service levels. This process also includes monitoring and timely reporting to
    stakeholders on the accomplishment of service levels. This process enables alignment between IT services and the related business
    requirements.
  • Overview of COBIT standards

    1. 1. 75% Loading .Loading . . 25%50% Loading . . . 100% Loading . . IT Audit and Risk Management Presentation Presentation was last accessed on Thursday, October 8 2009 10:23:11 PM
    2. 2. IT Audit and Risk Management Presentation Group 2:Group 2: PGPM508_12 Gunvel Sivaram PGPM508_52 On Ali Abbasi PGPM508_41 Saurav Swapnil PGPM508_33 Prasath L Krishna PGPM508_59 Malviya Prashant
    3. 3. = we need Governance Will it Work???Will it Work??? It may actually work: Experience Luck A culture of “Quick and Dirty” It may actually work: Experience Luck A culture of “Quick and Dirty” But What happens when we need to Document Improve Fix/Find an error Transfer responsibility
    4. 4. Linkage of Business and IT Plans Optimal investment Track & monitor- implementation Value Proposition: promised benefit against strategy Clear understanding, risk appetite, compliance Focus AreasFocus Areas is a set of best practices (framework) for information technology (IT) management created by the Information Systems Audit and Control Association (ISACA), and the IT Governance Institute (ITGI)
    5. 5. Mission: “to research, develop, publicize and promote an authoritative, up-to- date, international set of generally accepted information technology control objectives for day-to-day use by business managers and auditors.” COBIT 1COBIT 1 COBIT 2 COBIT 3 COBIT 4 & 4.1 History COBIT 4 & 4.1 COBIT 3 COBIT 2 COBIT 1 1996: Audit COBIT 3 COBIT 4 & 4.1 COBIT 2 COBIT 1 1996: Audit 1998: Control COBIT 1 COBIT 2 COBIT 3 COBIT 4 & 4.1 1996: Audit 1998: Control 2K: Management; ‘03: Online version COBIT 1 COBIT 2 COBIT 3 COBIT 4 & 4.1 1996: Audit 1998: Control 2K: Management; ‘03: Online version 2005: Governance; ‘07: 4.1 Managers, Auditors, and users benefit from the development of COBIT because it helps them understand their IT systems and decide the level of security and control that is necessary to protect their companies’ assets through the development of an IT governance model. Managers, Auditors, and users benefit from the development of COBIT because it helps them understand their IT systems and decide the level of security and control that is necessary to protect their companies’ assets through the development of an IT governance model.
    6. 6. Basic COBIT PrincipleBasic COBIT Principle Where COBIT fits in
    7. 7. Basic COBIT PrincipleBasic COBIT Principle COBIT is Business focused Drive the investments in that are used by which responds to to deliver
    8. 8. Basic COBIT FrameworkBasic COBIT Framework COBIT CubeCOBIT Cube IT resources are managed by IT processes to achieve IT goals that respond to the business requirements.
    9. 9. Basic COBIT PrincipleBasic COBIT Principle Where COBIT fits in
    10. 10. Basic COBIT PrincipleBasic COBIT Principle COBIT is Controls based Norms Standards Objectives Process Compar e ACT CONTROL INFORMATION Statements of managerial actions to increase value or reduce risk Consist of the policies, procedures, practices and organizational structures Reasonable assurance that business objectives will be achieved and undesired events will be prevented or detected and corrected
    11. 11. Basic COBIT PrincipleBasic COBIT Principle Where COBIT fits in
    12. 12. Basic COBIT PrincipleBasic COBIT Principle COBIT is measurement driven Maturity models to enable benchmarking and identification of necessary capability improvements Performance goals and metrics for the IT processes, demonstrating how processes meet business and IT goals and are used for measuring internal process performance based on balanced scorecard principles Activity goals for enabling effective process performance
    13. 13. Basic COBIT PrincipleBasic COBIT Principle Where COBIT fits in
    14. 14. Basic COBIT 4.1 PrincipleBasic COBIT 4.1 Principle COBIT is process oriented • Provides direction to solution delivery (AI) and service delivery (DS) Plan & Organize
    15. 15. COBIT Structure: Plan & Organize COBIT Structure: Plan & Organize IT processes The PO domain covers the use of information & technology and how best it can be used in a company to help achieve the company’s goals and objectives. It also highlights the organizational and infrastructural form IT needs to take in order to achieve the optimal results and to generate the most benefits from the use of IT.
    16. 16. COBIT Structure: Plan & Organize COBIT Structure: Plan & Organize PO1 Define a Strategic IT Plan and direction - PO2 Define the Information Architecture + PO3 Determine Technological Direction - PO4 Define the IT Processes, Organization and Relationships - PO5 Manage the IT Investment + PO6 Communicate Management Aims and Direction + PO7 Manage IT Human Resources + PO8 Manage Quality + PO9 Assess and Manage IT Risks - PO10 Manage Projects - IT processes Mapping of ISO/IEC 27002:2007 objectives to a COBIT process + Good Match (more than 2) - No or Minor Match
    17. 17. COBIT Structure: Plan & Organize COBIT Structure: Plan & Organize Summary Inputs = Requirements; Outputs = DS and AI; Core Activities = iterative strategic definition stage; Sub Core Activities = managing the purse strings, people and communication; Other Activities = managing the quality, IT risks and projects and lots of monitoring & evaluation techniques
    18. 18. COBIT Structure: Acquire & Implement COBIT Structure: Acquire & Implement IT processes The AI domain covers: • identifying IT requirements, • acquiring the technology, and • implementing it within the company’s current business processes. This domain also addresses the development of a maintenance plan that a company should adopt in order to prolong the life of an IT system and its components.
    19. 19. COBIT Structure: Acquire & Implement COBIT Structure: Acquire & Implement Summary Inputs = Requirements and PO activities; Outputs = DS and PO; Core Activities = identifying the solution, maintaining software & infrastructure, change and configuration management, enabling its use, and implementing the result into the operational environment; Other Activities = managing quality, IT risks and projects and lots of monitoring & evaluation techniques and finally procuring those IT resources
    20. 20. DS Levels DS1 Define and Manage Service Levels DS2 Manage Third-party Services DS3 Manage Performance and Capacity DS4 Ensure Continuous Service DS5 Ensure Systems Security DS6 Identify and Allocate Costs DS7 Educate and Train Users DS8 Manage Service Desk and Incidents DS9 Manage the Configuration DS10 Manage Problems DS11 Manage Data DS12 Manage the Physical Environment DS13 Manage Operations Concerned with the actual delivery of required services - service delivery, management of security and continuity, service support for users, management of data, operational facilities. It typically addresses the following management questions: • Are IT services being delivered in line with business priorities? • Are IT costs optimized? • Is the workforce able to use the IT systems productively and safely? • Are adequate confidentiality, integrity and availability in place? COBIT Structure: Deliver & SupportCOBIT Structure: Deliver & Support
    21. 21. DS1 Define and Manage Service Levels Effective communication between IT management and business customers regarding services required is enabled by a documented definition and agreement of IT services and service levels. This process also includes monitoring and timely reporting to stakeholders on the accomplishment of service levels. This process enables alignment between IT services and the related business requirements. Deliver & Support exampleDeliver & Support example
    22. 22. DS1.6 Review of Service Level Agreements and Contracts DS1.1 Service Level Management Framework DS1.5 Monitoring and Reporting of Service Level Achievements DS1.4 Operating Level Agreements DS1.3 Service Level Agreements DS1.2 Definition of Services DS1 Define and Manage Service LevelsDS1 Define and Manage Service Levels
    23. 23. DS1 Define and Manage Service LevelsDS1 Define and Manage Service Levels
    24. 24. COBIT Structure: Monitor & Evaluate COBIT Structure: Monitor & Evaluate IT processes ME1: Monitor and Evaluate IT Performance ME2: Monitor and Evaluate Internal Control ME3: Ensure Regulatory Compliance ME4: Provide IT Governance
    25. 25. COBIT Structure: Monitor & EvaluateCOBIT Structure: Monitor & Evaluate ME 1: Monitor and Evaluate IT Performance Monitoring Approach Establishment of general monitoring framework and approach that define the scope, methodology and process to be followed for monitoring IT’s contribution Definition and Collection of Monitoring Data Defining a balanced set of performance objectives, measures, targets and benchmarks, and have them signed off by stakeholders Monitoring Method Deployment of a method that provides a succinct, all around view of IT performances and fit s within the enterprise monitoring system Performance Assessment Periodic review of performance against targets, perform remedial action against initial deviations Board and Executive Reporting Management reports containing progress against set targets Remedial Actions Identification and initiation of remedial actions based on the performance monitoring, assessment and reporting.
    26. 26. COBIT Structure: Monitor & EvaluateCOBIT Structure: Monitor & Evaluate ME 2: Monitor and Evaluate Internal Control Monitoring of Internal Control Framework Continuous assessment against industry best practices and benchmarks to improve IT control environment Supervisory Review Compliance with policies and standards, information security, change controls Control Exceptions Record information of exceptions, and ensure proper analysis of underling issues Control Self-assessment Evaluate the completeness and effectiveness of management’s internal controls through a continuing program of self assessment. Assurance of Internal Control Third party review Remedial Actions Identify and initiate remedial actions based on control assessment and reporting; Review negotiation and understanding of management responses
    27. 27. COBIT Structure: Monitor & EvaluateCOBIT Structure: Monitor & Evaluate ME 3: Ensure Regulatory Compliance Identification of Laws and Regulations Having Potential Impact on IT Define and implement process to ensure timely identification of local and international regulatory requirement, policies related to information and information service delivery Optimization of Response to Regulatory Requirements Review and optimize IT policies, standards and procedures to ensure legal requirements are covered Evaluation of Compliance with Regulatory Requirements Positive Assurance of Compliance Regularly reporting of corrective actions being taken by process owners Integrated Reporting Integrate IT reporting on regulatory requirements with similar output from other business functions
    28. 28. COBIT Structure: Monitor & EvaluateCOBIT Structure: Monitor & Evaluate ME 4: Provide IT Governance Establishment of an IT Governance Framework Define framework including leadership, processes, roles and responsibilities, information requirements, organizational structure Strategic Alignment Develop shared understanding of business and IT. Resource Management Optimize the investment, use and allocation of IT assets through regular assessments Performance Measurement Report performance to board in timely fashion Independent Assurance
    29. 29. SummarySummary
    30. 30. How do you align an IT risk assessment with COBIT controls? How do you align an IT risk assessment with COBIT controls?
    31. 31. CoBiTCoBiTvsvsCOSOCOSO Targets management controls Targets IT controls specifically Useful for management at large Useful for IT management, users, and auditors How to do What to do
    32. 32. Supporting Applications and Related Infrastructure Control Environment Risk Assessment Control Activities Information & Communication Monitoring Plan & Organize Acquire & Implement Delivery & Support Monitor & Evaluate CoBiT vs COSOCoBiT vs COSO COSOCOSO COBITCOBIT
    33. 33. Your Security Check Thank You Logout when you are finishedWho knows your password
    34. 34. References new COBiT Version 4.1 available: http://www.isaca.org/cobit http://itknowledgeexchange.techtarget.com/it-compliance/how-do-you- align-an-it-risk-assessment-with-cobit-controls/ http://www.mahindrasatyam.net/services/business_value_enhanceme nt/enterprise_risk_complaince_mngt.asp Ben Kalland ITIL Expert and Cobit Foundation certified consultant ben.kalland@tieturi.fi

    ×